"Auditing Information Systems, Second Edition presents an easy, practical guide to auditing information systems that can be applied to all computing environments." "With the Second Edition of this popular resource, auditors will be able to examine an organization's hardware, software, data protection, and processing methods to ensure that adequate controls and security are in place. Little in the way of prerequisite technical know-how is required. The Second Edition devotes special attention to the issues of most concern to information managers today. It provides over 80 case studies that demonstrate how concepts can be applied in real-world situations." "Auditing Information Systems, Second Edition empowers auditors, information security professionals, managers, and audit committees to effectively gauge the adequacy and effectiveness of information systems controls."--Jacket.

Part 1Core Conecepts -- 1 -- Chapter 1 Basics of Computing Systems -- 3 -- Central Processing Unit -- 3 -- Operating System -- 8 -- Application Programs -- 8 -- Database Management Systems -- 9 -- Physical Security Controls -- 9 -- Logical Security Controls -- 10 -- Location of Physical and Logical Security Controls -- 11 -- Chapter 2 Identifying Computer Systems -- 15 -- Benefits of a Computing Systems Inventory -- 17 -- Risk Assessment -- 19 -- Part 2 Standard Information Systems Audit Approach -- 25 -- Chapter 3 Information Systems Audit Program -- 27 -- Other Benefits of Audit Programs -- 27 -- Information Systems Audit Program -- 28 -- Chapter 4 Information Systems Security Policies, Standards, and/or Guidelines -- 35 -- Information Systems Security Policies -- 36 -- Information Systems Security Standards -- 43 -- Information Systems Security Guidelines -- 46 -- Chapter 5 Auditing Service Organization Applications -- 53 -- Service Auditor Reports -- 55 -- Use of Service Auditor Reports for Internal Audits -- 65 -- Report of Independent Auditors -- 66 -- Description of Relevant Policies and Procedures and Other Information -- 74 -- Control Objectives as Specified by Service Organization Management -- 74 -- Client Control Considerations -- 79 -- Alternatives to SAS 70-Type Audits -- 79 -- Chapter 6 Assessing the Financial Stability of Vendor Organizations, Examining Vendor Organization Contracts, and Examining Accounting Treatment of Computer Equipment and Software -- 91 -- Assessing Financial Stability of Vendor Organizations -- 91 -- Examining Vendor Organization Contracts -- 100 -- Examining Accounting Treatment of Computer Hardware and Software -- 104 -- Chapter 7 Physical Security -- 107 -- Physical Locks -- 110 -- Security Guards -- 120 -- Video Surveillance Cameras -- 122 -- General Emergency and Detection Controls -- 122 -- Heating, Ventilation, and Cooling Systems -- 123 -- Insurance Coverage -- 124 -- Periodic Backups -- 127 -- Emergency Power and Uninterruptible Power Supply Systems -- 131 -- Business Resumption Programs -- 132 -- Key Aspects of an Information Systems Business Resumption Program -- 134 -- Backup System Security Administrator -- 136 -- Chapter 8 Logical Security -- 141 -- Logical Security Design -- 141 -- Bringing a New System to Life -- 144 -- User IDs and Passwords -- 150 -- Remote Access Controls -- 150 -- System Security Administration -- 153 -- Wire Transfer Fraud -- 170 -- Chapter 9 Information Systems Operations -- 185 -- Computer Operations -- 186 -- Business Operations -- 192 -- Efficiency and Effectiveness of Information Systems in Business Operations -- 202 -- Part 3 Contemporary Information Systems Auditing Concepts -- 209 -- Chapter 10 Control Self-Assessment and an Application in an Information Systems Environment -- 211 -- History -- 212 -- Keys to a Successful Program -- 215 -- Internal Control Frameworks -- 216 -- Coso -- 216 -- CoCo -- 218 -- Cadbury -- 220 -- Cobit -- 221 -- SAC and eSAC -- 224 -- SASs 55/78/94 -- 227 -- Additional Keys to a Successful Program -- 228 -- Various Approaches -- 229 -- Benefits of a Successful Program -- 232 -- Chapter 11 Encryption and Cryptography -- 247 -- Terminology -- 249 -- Goal of Cryptographic Controls -- 250 -- Encryption -- 251 -- Hashing -- 256 -- Digital Signatures and Digital Certificates -- 257 -- Key Management -- 259 -- Political Aspects of Cryptography -- 260 -- Chapter 12 Computer Forensics -- 265 -- Investigations -- 268 -- Chapter 13 Other Contemporary Information Systems Auditing Challenges -- 277 -- Computer-Assisted Audit Techniques -- 277 -- Computer Viruses -- 286 -- Software Piracy -- 291 -- Electronic Commerce -- 293 -- Internet Security -- 295 -- Information Privacy -- 303 -- Privacy Laws and Regulations -- 307 -- Firewalls -- 314 -- Chapter 14 Humanistic Aspects of Information Systems Auditing -- 321 -- Training -- 323 -- Active Participation in Professional Associations -- 325 -- Networking -- 329 -- Professional Certifications Related to Information Systems Audit, Control, and Security -- 331 -- Practical Experience -- 339 -- Humanistic Skills for Successful Auditing -- 339 -- Motivation Of Auditors -- 341 -- Chapter 15 Information Systems Project Management Audits -- 355 -- Primary Information Systems Project Risks -- 356 -- Project Failure -- 356 -- Vendor Goes Out of Business -- 367 -- Poorly Worded Contracts or Agreements -- 368 -- External Contractor Risks -- 369 -- Financial Statement Risks -- 370 -- New Technologies -- 376 -- Constant Risks -- 378 -- Appendix A Professional Auditing Associations and Other Organizations Related to Information Systems Auditing and Computer Security -- 383 -- Appendix B Common Criteria for Information Technology Security Evaluation -- 395 -- Appendix C The International Organization for Standardization: Seven-Layer Open Systems Interconnection Reference Model -- 401 -- Appendix D The Year 2000 Problem: A Project Not to Be Forgotten are available online at www.wiley.com/go/information systems -- Appendix E U.S. Department of Defense "Orange Book" Trusted Computer System Evaluation are available online at www.wiley.com/go/information systems.